Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

itwbennett writes "Ninety of the 249 Zeus command-and-control servers were knocked offline overnight when two ISPs, named Troyak and Group 3, were taken offline. Whoever was behind the takedown 'just decided to knock out a large area of cyber-crime, and this was probably one of the easiest ways to do it,' said Kevin Stevens, a researcher with SecureWorks. As with the McColo takedown of just over a year ago, Troyak's upstream providers seem to have knocked it off the Internet, Cisco said in a statement. 'The ISP was "De-peered,"' Cisco said. 'Troyak's upstream network providers effectively pulled the plug on Troyak's router, refusing to transmit its traffic.'"

I have a difficult time understanding how Zeus is *still* around; it started in mid 2007! According to WP, it has more than 3.6 Million infected PCs.

There is no reasonable stance that defends the existence or the activities of botnets either legally or morally. How is it that we know there are 150 other command nodes, presumably that we can also discover their IP addresses, but law enforcement has been unable to bring them down?

While I understand there are differences in laws, and with what is legal and what is accepted in different jurisdictions, but this seems patently absurd. If an ISP provides service to a verified botnet control node, and refuses to quickly turn them off, I would expect immediate upstream action like this. Why hasn't this happened even more?

Taking down the servers is a political matter, not a technical one (in general). But I would imagine that clearly harboring illegal activity would be sufficient motivation for anybody. Imagine if we classified servers like we do countries that support terrorism?

But even if we got all 249, it's like playing whack-a-mole or cutting off the head of a hydra.

Just look at what happened to Blue Security. They put spam down so well that a pissed off spammer lobbed an electronic nuke at them.

The guys that took out Blue were able to do so because they had a freaking ARMY of computers. An army, by the way, that they built up through illegal means. Now, accumulating firepower through theft, that does sound like a form of terrorism to me.

Now, accumulating firepower through theft, that does sound like a form of terrorism to me.

Despite what the talking heads on TV or the politicians have told you to think, terrorism does not mean "anything illegal" or "anything against the interests of the country". Terrorism is an activity that is designed to accomplish its goals through the use of fear and paranoia against the general population.Stockpiling a supply of bombs does not make you a terrorist, using or threatening to use them against a target such as a school does.

Well, a bunch of guys (spammers) from specialham decided that BlueFrog was working a bit too well at killing spam so they basically threw everything they had at Blue security while simultaneously launching a massive propaganda and FUD campaign online (where they made all sorts of unsubstantiated claims about Blue Security and the BlueFrog software).

This kind of behaviour from spammers is one of the reasons I wouldn't be the least bit upset if the top 10 spammers in the world were all found one morning with holes in their heads, hopefully it would at least dissuade others (and stop these particular asshats).

Well, most legit ISPs regardless of size tend to put a clause in their ToS about their customers not being allowed to do things that disrupt the network, and spamming and DDoS attacks seem like good enough reasons for claiming someone is disrupting the network. Hell, when I worked the abuse desk for an ISP we would warn residential customers after we got the first indication or complaint about them, disconnect them and send them a letter the second time and only reconnect when they contacted us and verified that they had fixed the problem, if there were any further complaints we would often just cut them off completely (sometimes giving them the option to present us with a receipt from a computer store showing that they'd had their computer looked at by someone there before finally cutting them off).

No reason to make this about laws that tell ISPs what they must police in their networks, if the respectable and serious ISPs start taking their own Terms of service seriously and actually act on them even when the customer is another ISP then we'd have a lot fewer problems with botnets and spam.

Yes, but a customer who is cut off from the network makes the company no profit, signs up with a competitor without these draconian "shoot first, ask questions later" regulations, and eventually "most legit ISPs" go out of business.

You're assuming that most customers would not fix their equipment and that they would switch to another ISP, my experience tells me otherwise, most users will rather fix their own equipment than change ISPs.

Also, did you notice the second paragraph where I mentioned ISPs actually using these rules against other ISPs who are their customers? We're not talking about Bargain Bob's Discount Intarwebs here, we're talking about Level 3, TeliaSonera, Verizon, AT&T et al actually bothering to disconnect Bargain

If 90 of their command and control servers are knocked off can't they just push an update out through one of their other 159 command servers to the botnet to add another 1000 potential command and control servers scattered around the internet?

Meanwhile, the more legitimate ISP's don't want to spend the money to block the command/control servers individually on their networks.

I suspect the "expense" they're afraid to incur would most likely be in the form of legal costs. Give a decent sysadmin any size list of culprits and he'll script a way to block them within a day, max. Fighting lawsuits, OTOH, is quite expensive, bogus or otherwise.

... presumably that we can also discover their IP addresses, but law enforcement has been unable to bring them down?

As I understand it, they don't use static IP addresses. They change their IP addresses frequently. They use all kinds of tricky schemes to shield their activities. It sounds like some of their schemes have been figured out lately and successfully attacked.

With your line of reasoning, thepiratebay would have gone down and stayed down in spite of Swedish law and not because of it.

I can't say whether or not the laws of the lands in which the remaining servers reside make their existence illegal -- I hope they do or I hope they will soon -- but it is best to act within the law rather than outside of it.

I am glad that thepiratebay is still up and running. I find it useful. And if it means tolerating the existence of botnets for the same reasons, I could learn t

As a PC repairman allow me to explain why Zeus is still around, it is because the OEMs suck ass, that's why. You see ever since XP Sp2 (and some even earlier) the OEMs have been loading PCs with images that have the absolute worst default security policies you can possibly imagine, hell a junior HS student could do better. They set up an obvious username with no password, like "HP_User" and then go and turn autoupdates to OFF. In fact in 6 years I don't think I've seen an OEM PC with autoupdates activated. Just yesterday I had one cross my desk that the patches only went to SP2, that was...what 7 years ago? Hell no wonder there are so many botnets, the OEMs make it so any script kiddie can own millions of PCs!

As for TFA, my guess is that many of the C&C servers are hosted in some idoncareistan, where a nice fat bribe will make all those problems go bye bye. Just look at Nigeria, where scamming is practically a noble profession. And it isn't like they can't find plenty of sleazeballs here in the USA that will be happy to do business with them as long as the money is green.

Ultimately if we are gonna turn the tide I think it has to start with the OEMs before the customer ever picks up the PC. We need to demand some basic common sense, like having the user pick a password on first launch, having automatic updates set to on as default, and having some rules with regards to the crapware AVs they install, such as having it refuse to start if it is no longer good, so the user won't have a false sense of security. If I had my way it would give the user a list of AVs on first run, including free ones, like Windows 7 did on first start, but since I haven't had any OEM Windows 7 machines cross my desk yet I'm sure the OEMs disabled that as well. But expecting the customer to know their machine is crippled from the factory, as well as the steps to fix it, is just insane when so much can be done at the factory to negate this problem IMHO.

The Internet Service Providers providing internet service to the 90 zeus command nodes suddenly (and involuntarily) stopped providing internet service. TFA attributes this to "anonymous community action". Basically, someone got irritated at the bot net and blacked out a fair chunk of Kazakhstan in order to damage it.

Troyak and Group 3 were like car dealerships, who sold cars to evil customers, who ran car-botnets. The suppliers of Troyak and Group 3 decided to stop supplying cars to them, so they couldn't resell the cars.

How about this one then - Zeus is like a Toyota. It keeps going and going, no matter how hard you try to put on the brakes to its activities. However after a long fight someone found a way to hit the brakes, emergency brakes, positioned a cop car in front of, and slowed it down enough to yank the key out. Troyak and Group 3 are like Toyota car dealerships. All of their cars (Servers) are now sitting idle because no one in their right mind wants to go anywhere near - or in front of - a Toyota, er a Zeus bot.

PRALINE: All right then, if it's syncing I'll sync with it. (shouts into cabinet) Hello Khaki! I've got a nice piece of Cat 6 for you when you wake up, Khaki!

SYSADMIN: (jogging rack) There it blinked.

PRALINE: No it didn't. That was you yankin' the wire.

SYSADMIN: I did not.

PRALINE: Yes, you did. (unplugs wire from cabinet, shouts into the end of the ethernet cable) Hello Khaki, Khaki (whips it against counter) Khaki host, wake up. Khaki. (throws it in the air and lets it fall to the floor) Now that's what I call a dead host.

SYSADMIN: No, no it's stunned.

PRALINE: Look my lad, I've had just about enough of this. That host is definitely depeered. And when I leased it not half an hour ago, you assured me that its lack of connectivity wad due to it being tired and shagged out after delisting a porn site.

SYSADMIN: It's probably pining for the fjords.

PRALINE: Pining for the fjords, what kind of talk is that? Look, why did it refuse to connect the moment I got home?

PRALINE: It's not pining, it's unplugged. This host is no more. It has ceased to be. Its license has expired. This is a late host. It's a brick. Bereft of electrons, it rests in peace. And if you hadn't taped a flashlight inside the case, the only cycles it would ever see from here on out are re-cyclers. It's dropped out of DNS and unjoined the internet invisible. This is an ex-host.

SYSADMIN: Well, I'd better replace it then.

PRALINE: (to camera) If you want to get anything done in this country you've got to complain till you're blue in the mouth.

According to this article [goodgearguide.com.au]: "Just hours after Internet service providers severed network connectivity to Troyak, an ISP associated with the Zeus botnet, the ISP has regained connectivity after peering with a new upstream Internet service provider."

As far as I can tell, Cisco wasn't involved in the decisions. It looks like the writer went to the two ISPs for comment, but came up dry--well, except for that one anoymous comment. Then the writer asked Cisco what they thought about the whole thing to fill out the piece. Probably the ISPs are afraid of being targeted in retaliation and want to keep a low profile.

What? no no, The God Mars isn't into that crap! Zeus is planing to fuck up Silverstein's concert this coming 15th down at the Jersey shore. You know, the post-hardcore band with that song, The Ides of March? It's track #3 on their full length studio album, Discovering the Waterfront. Mars really digs them, loves to get totally wasted, get in brutal fights and steal lose women from their punk-ass boyfriends while at their shows...

Haven't you been keeping up with all this? We're talking about the Gods for God

The only way to truely combat cybercrime is to just cut the connection.

When you have a country that willingly harbors criminals - just because they are attacking someone else - the problem ceases to be one of law enforcement or diplomacy. Sure, you can try to send some cops over there and see what can be accomplished. For the most part, not much.

The key is that if Russia, Bulgaria, Romania or whereever wants to have "Internet freedom" for their citizens where they can do whatever they heck they want without any consequences, the only possible response is for everyone else on the planet to just agree to pull the plug.

Now, so far it has been impossible to make this happen. Nobody has cared enough because "well, it is just some virtual land called cyberspace." For the most part, law enforcement doesn't care if people are robbed in cyberspace - it isn't really their jurisdiction. There is no global cop that can go anywhere to track down cybercriminals, and in most of the world a request to please go down and arrest someone because they committed a crime somewhere else is met with guffaws and snickers. So as long as your local law enforcement was willing to turn a blind eye to your activities, you could pretty much get away with anything.

And believe me, in most of the world today, law enforcement has a lot better things to do than deal with any sort of computer crime. So there are zero consequences. Something a lot of people have learned over the last 15 years or so. Of course a few Unix geeks knew that since 1980 or so.

Now, if this sticks and if it can be repeated - both of which are highly doubtful - we might actually get somewhere in having some real consequences for bad actions on the Internet. But I suspect this will all be put back together next week (if not sooner) and there will continue to be zero consequences. Keep this in mind, because if you annoy someone enough on the Internet there is a chance they already know there are no consequences in most of the world. Lori Drew is a case in point. They really wanted to nail her for something, anything. But the rule of cyberspace wins out in the end. The physical world has real consequences, the virtual world has only virtual consequences.

The only way to truly combat cybercrime is to just cut the connection.

What will end up happening is that there will be several chunks of the "Net". So Nigeria can do its own thing(as an example). There's absolutely nothing to keep other countries from yanking the plug on anyone that they want as soon as it crosses their borders. "We don't like you - get lost" seems like a fairly effective way, especially for countries that lack a proper satellite infrastructure and have to rely on optical and metal/coppe

Sensible and caring people would muzzle him so that he could still listen and participate (via writing or sign language), you NARGIN FLARGIN WERTHERS CANDIES!

Heh. But, seriously. They can't get internet, but they do have news feeds and newspapers and all of the non-digital technology at their disposal, so it IS a bit like they can effectively only listen to part of what's going on until they stop trying to ruin it for everyone else.

The countries of the world that have the power need to flex their muscles and deny those who don't police their own traffic adequately a chance to participate.

So you suggest our great leaders should cut every country from the internet that doesn't implement the terrorist-and-child-molester-stopping three strikes law? Politicians will abuse every power that we the people give them.

Obviously not. But what exactly should we do when there is a known criminal element(remember this - it's kind of important) that is abusing and making the rest of us unsafe as well as so burdened by their activity that it actually is causing the entire Internet to nearly come to a screeching halt? Perhaps my previous example was wrong and I should have likened it to an outbreak of a disease. Of course you quarantine the area. If they won't do

It's not that no-one cares enough, it's just that there's a bigger picture. Countries benefit from international trading, and internet connectivity is part of that. The geopolitics here are bigger than just stopping spam. The US government isn't going to put a virtual trade embargo on a country just for spam, as the beenfits (either to the country or to the rulers of that country) outweighs the negatives by quite some margin.

There seems to be an implication that Troyak and Group 3 were somehow complicit with all this botnet activity, yet no such claims are actually being explicitly made - just that the ISPs have been "associated" with these botnets, whatever that means.

Did these ISPs have legitimate customers who have now been cut off because of the criminals alongside them on the ISP's network? Was the ISP asked to deal with the situation first, and either ignored or refused such requests? If these ISPs were fronts for the botnet owners, where's the evidence? Did someone just think, oh, there are a bunch of bad guys on this ISP; let's cut the whole thing off and fuck the rest of their customers?

This action sounds like the IT equivalent of a government blowing up an entire city block because a couple terrorists are renting an apartment there.

If these ISPs have legitimate customers, hopefully they sue the hell out of the upstream for this.

When a botnet’s executable is contacting server xyz, and server xyz’s IP address belongs to you, damn right you will know about it, because if you don’t figure out on your own that you’re providing internet connectivity to a botnet control server, you’ll soon be notified by authorities and asked to cut the plug on the customer who’s running the server.

All it takes is some antivirus/antimalware group to reverse-engineer the code and determine that yes, in fact, it IS using

In the past, when this sort of thing has been suggested, the cries of "vigilante" and "lawlessness" were cried from the highest mountaintops, and the lowest swamps of the Internet. And anyone who actually DID anything was pilloried and run out of town on a rail.

[sarcasm] What changed, I wonder? [/sarcasm]

Now that the losses are in the hundreds of millions, in several dozen different currencies, those same voices seem to have lost their enthusiasm.

The Internet Death Penalty is older than Slashdot and even older than some Slashdot users. The internet is based on huge number of peering agreements, agreements which can be made, changed and terminated. The structure of the internet changes all the time. Take a look at the BGP updates if this interests you. One of the reasons for depeering is "you're causing us too much trouble, so we don't want your business anymore." Then the shunned ISP has to find another uplink. Sometimes no other ISP wants to act as

The target is a "user". Anyone that doesn't understand system administration and security that is left alone with a computer can defeat anything that the OS does. If your grandma wants to install something like WeatherBug on Linux and the software to do this exists, she will succeed. If it requires root access and she has it, she will provide it in copious amounts for the malware application. Whatever is needed will be provided. Because she knows she wants to install this, for some utterly unknown reason.

Now, if you have a computer that it is impossible for the user to install stuff on, well then you have a much more secure platform. Unfortunately, this requires an administrator for those cases where something is really needed and actually should be installed. Once the user and the administrator are the same person, you have just lost any semblance of security.

99% of the Windows machines in homes out there do not have an administrator other than the user themselves. If these were magically replaced by Linux machines with the same administrator, this wouldn't solve anything. Sure, the user would need to do sudo or su in order to really screw things up, but if the application they thought they wanted to install asked for it, they would do it.

Maybe it's because this is Slashdot, and everyone with half a brain knows that the malware writers target Windows almost exclusively. Whether this is because it's insecure or because of popularity, or otherwise, is up to the reader.
None of the rest of us need that to be repeated over and over again to satisfy the sense of self-worth you get just because you don't use it.

Nobody likes to see crooks get away with being crooks but keep in mind if you are championing the forced removal of content like this, then you are also championing the removal of any content deemed objectionable by a governing body.

Please drop the strawman and move away slowly.Botnets are NOT content.